What is Protected Health Information in Psychotherapy Practice?
The Brief defines protected health information (PHI) under federal law.
"The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information" (PHI).
“Individually identifiable health information” is information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
and identifies the individual or there is a reasonable basis to believe it can be used to identify the individual.
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number, etc...).
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
Dis-Identified Health Information
Data are "individually identifiable" if they include any of the 18 types of identifiers for an individual or for the individual's employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual. There are 18 identifiers.
Name
Address (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code)
All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
Telephone numbers
FAX number
Email address
Social Security number
Medical record number
Health plan beneficiary number
Account number
Certificate/license number
Any vehicle or other device serial number
Device identifiers or serial numbers
Web URL
IP address
Finger or voice prints
Photographic images
Any other unique identifying number, characteristic, or code
A critical point of the Privacy Rule is that it applies only to individually identifiable health information held or maintained by a covered entity or a business associate acting for the covered entity.
Individually identifiable health information held by anyone other than a covered entity, including an independent researcher who is not a covered entity, is not protected by the Privacy Rule and may be used or disclosed without regard to the Privacy Rule. This is why psychotherapists need to implement Business Associate Agreements (BAA). There may, however, be other Federal and State protections covering the information held by these entities that limit its use or disclosure.
http://privacyruleandresearch.nih.gov/pr_07.asp
Michael G. Conner, PsyD is a psychologist in private practice and an owner of Private Practice Cloud, LLC a healthcare operation support business. His business currently supports The American Mental Health Alliance Oregon (AMHA-OR). Dr. Conner is a member of the Board of Directors of Mentor Research Institute (MRI). He acknowledges Michaele P. Dunlap, PsyD, Board Secretary of AMHA-OR, and President of MRI, as co-author of this article.